What is NX/XD feature ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5.
  • Red Hat Enterprise Linux 6.
  • Red Hat Enterprise Linux 7.
  • Red Hat Enterprise Linux 8.

Issue

  • What is NX/XD feature ?
  • How to check whether NX/XD is enabled ?
  • How to enable or disable NX/XD?

Resolution

  • NX/XD is a hardware cpu feature which is provided in almost all the hardware. Some BIOS has advanced option of enabling or disabling it.

  • NX stands for No eXecute and XD stands for eXecute Disable. Both are same and is a technology used in processors to prevent execution of certain types of code.

Checking the status

  • If the cpu has this feature it is enabled by default , Unless it is over-ridden by noexec=off parameter.

RHEL-7/8

To check whether the feature is enabled on the system check the boot messages either from /var/log/messages or from dmesg .

  • From the /var/log/messages file:
# cat /var/log/messages | grep "Execute Disable"
Feb 20 23:20:41 localhost kernel: NX (Execute Disable) protection: active
  • From the dmesg command:
# dmesg | grep "Execute Disable"
[    0.000000] NX (Execute Disable) protection: active

It is possible for both /var/log/messages and dmesg to have enough messages that the initial boot messages have disappeared or been rotated in which case the message will not be visible. As a workaround you can also try checking /var/log/dmesg and in Red Hat Enterprise Linux 7 only, you can use journalctl -b | grep 'Execute Disable'.

RHEL5/6

The NX bit status boot messages are not present in RHEL-6/RHEL-5.

  • To check whether or not the CPU supports the nx feature, check /proc/cpuinfo for the nx flag:
# cat proc/cpuinfo | grep nx | uniq
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt aes xsave avx hypervisor lahf_lm ida arat epb pln pts dts

Enabling/Disabling

Although we do not recommend you disable NX/XD, it is possible to explicitly enable or disable the feature using the noexec kernel option. From the kernel source documentation:

noexec      [X86]
        On X86-32 available only on PAE configured kernels.
        noexec=on: enable non-executable mappings (default)
        noexec=off: disable non-executable mappings

For instructions on how to modify kernel parameters, please check the following solution:

How to manually modify the boot parameter in grub before the system boots

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments